CVE-2023-38497
Publication date 3 August 2023
Last updated 24 July 2024
Ubuntu priority
Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in `~/.cargo`.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cargo | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy |
Fixed 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.22.04.2+esm1
|
|
| 20.04 LTS focal |
Fixed 0.67.1+ds0ubuntu0.libgit2-0ubuntu0.20.04.2+esm1
|
|
| 18.04 LTS bionic |
Fixed 0.66.0+ds0ubuntu0.libgit2-0ubuntu0.18.04.1~esm1
|
|
| 16.04 LTS xenial |
Fixed 0.47.0-1~exp1ubuntu1~16.04.1+esm1
|
|
| 14.04 LTS trusty | Ignored | |
| rust-cargo | 24.04 LTS noble |
Vulnerable
|
| 22.04 LTS jammy |
Fixed 0.57.0-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| rustc | 24.04 LTS noble |
Vulnerable
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
sbeattie
cargo in mantic was merged into rustc
alexmurray
requires an update to the tar rust dependency (tar 0.4.39) - this is packaged as rust-tar in Ubuntu but only the rust-cargo package appears to use this - rustc and cargo both vendor a copy of this package
litios
a workaround for this issue is to prevent access to the ~/.cargo directory to other users.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.3 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6275-1
- Cargo vulnerability
- 3 August 2023